Record Level Authentication in ADF Security 11g

Is it possible to code my application to support record level authentication by using ADF 11g Security?
For example the CEO Role can read all orders from a view, but other roles can only read the orders by them self.
Do I have to control this mannually or the ADF Security can handle this for me? Is there any example about this?
Thanks in advanced,
Samson Fu

I can think of three solutions:
1) Go with the Oracle database Virtual Private Database (VPD) feature. This is the ideal solution as it codes that security logic in the database, and doesn't rely on your program/middletier getting the security correct.
2) In ADF BC create the custom framework as recommended in the JDev Fusion Guide and then modify the custom ViewObjectImpl executeQuery() method such that it always adds your required predicate (where clause) to each VO query.
3) Custom code the Where clause into every ADF BC VO query.
CM.

Similar Messages

About login authentication in ADF Security

I have applied ADF Security in application which I learned from the Cue Cards example and I did it successfully but I wanted to change the login page.
So I created a PopUp which I learned from "Oracle JDeveloper 11g Handbook A Guide to Oracle Fusion Web Development" and instead of the Menu Button, I used a Go Link Button as I had done in the Cue Cards example.
But the problem is how to manage the login/logout authentication. As in the book I created a managed bean to handle login and the code is :
package inventory.controller;
import java.io.IOException;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.security.SimpleCallbackHandler;
import weblogic.security.services.Authentication;
import weblogic.servlet.security.ServletAuthentication;
public class LoginHandler {
private String _username;
private String _password;
public LoginHandler() {
super();
public String performLogin() {
byte[] pw = _password.getBytes();
FacesContext ctx = FacesContext.getCurrentInstance();
HttpServletRequest request =
(HttpServletRequest)ctx.getExternalContext().getRequest();
CallbackHandler handler = new SimpleCallbackHandler(_username, pw);
try {
Subject mySubject = Authentication.login(handler);
ServletAuthentication.runAs(mySubject, request);
String loginUrl =
"/adfAuthentication?success_url=/faces" + ctx.getViewRoot().getViewId();
HttpServletResponse response =
(HttpServletResponse)ctx.getExternalContext().getResponse();
sendForward(request, response, loginUrl);
} catch (FailedLoginException fle) {
FacesMessage msg =
new FacesMessage(FacesMessage.SEVERITY_ERROR, "Incorrect Username or Password",
"An incorrect Username or Password" +
" was specified");
ctx.addMessage(null, msg);
} catch (LoginException le) {
reportUnexpectedLoginError("LoginException", le);
return null;
private void sendForward(HttpServletRequest request,
HttpServletResponse response, String loginUrl) {
FacesContext ctx = FacesContext.getCurrentInstance();
RequestDispatcher dispatcher = request.getRequestDispatcher(loginUrl);
try {
dispatcher.forward(request, response);
} catch (ServletException se) {
reportUnexpectedLoginError("ServletException", se);
} catch (IOException ie) {
reportUnexpectedLoginError("IOException", ie);
ctx.responseComplete();
private void reportUnexpectedLoginError(String errType, Exception e) {
FacesMessage msg =
new FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected Error During Login",
"Unexpected Error during Login (" + errType +
"), please consult logs for detail");
FacesContext.getCurrentInstance().addMessage(null, msg);
e.printStackTrace();
public String performLogout() {
FacesContext ctx = FacesContext.getCurrentInstance();
HttpServletRequest request =
(HttpServletRequest)ctx.getExternalContext().getRequest();
HttpServletResponse response =
(HttpServletResponse)ctx.getExternalContext().getResponse();
String logoutUrl =
"/adfAuthentication?logout=true&end_url=/faces/home";
sendForward(request, response, logoutUrl);
return null;
public void setUsername(String _username) {
this._username = _username;
public String getUsername() {
return _username;
public void setPassword(String _password) {
this._password = _password;
public String getPassword() {
return _password;
But as I run the page and click the login link, it displays the PopUp box but I think it can't get the username and password from the field inserted and displays the error message specified in the above code(ie in try/catch) when I enter the required username and password and click the login button. So is there something in the code, I ran the application TUHRA which I downloaded, which was an example in the book I specified. and it went well and the login popup worked well.
And I want to know that how to work the button by just pressing Enter key without clicking the button ? And also is there procedural change in the ADF configuration in jDev 11.1.1.1.0 and jDev 11.1.1.5.0 as I have jDev 11.1.1.5.0 installed and there was something different in following the steps specified in the book but I managed it by looking at the cure cards example. So is this the steps problem or something else?
Thanks in advance.

I didn't design the login page but I just created a PopUp window and in the popup window I inserted two Input text fields for username and password.
And i set the 'value' of the username field as "#{login.username}" and the 'value' of the password field as "#{login.password}"
Also in the login button the "action" set to #{login.performLogin}.
And the button which I use to display the popup is a Go Link button, the "Destination" is set to "#{securityContext.authenticated ? "/adfAuthentication?logout=true&end_url=/faces/home.jspx" : "/adfAuthentication?success_url=/faces/home.jspx"} ".
I inserted the popup inside the Go Button in the structure window.
And Added the managed bean in the adfc config.xml with the following properties:
Name as “login”
Class as “inventory.controller.LoginHandler”
Scope as “request”
If I don't use the popup and login with the default generated login form , the login is successful
And also when i removed the ADF security configuration, the meta data didn't go away and when i reconfigured the security some error is diplayed in the log details as cannot create or something like rewrite the users.
Please help I don't have much time to complete my project. its an emergency.
Edited by: SudeepShakya on Nov 4, 2011 10:06 AM

Best way Of providing user authentication using ADF security...

Hi,
I have a web application . I want to implement to ADF security to the application.. What is the best approach of doing this? I have the user information in the database tables along with the roles and other information. I want to these tables for authorization ?
What is the best approach to do this? It would be great if u could help ..
I ma using 11g release 2
Thanks in advance.
Rakesh

Hi,
Thanks for the quick response.
I have been looking at the post but i found one of the forum post in which the person was saying the SQLAuthentication doesnt work ..
"Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
This is feedback I got in SR 3-4124753004 :
"If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
related bugs are :
- bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
- enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"
related forum threads are :
- "ADF Security : identity store : tables in a SQL database"
- "OPSS : addMembersToApplicationRole : The search for role failed"
regards
Jan Vervecken"
Is this true?
Rakesh

Page and Record level Authentication / Access control.

Hi,
I hope some of you might have come across this kind of issues. I am trying to setup page level authentication and record level access control. Please see below for the detailed description.
1. Does APEX have any functionality where I can implement my page level authentication schemes.
Say there are 5 pages/tabs and 10 users, and I want to restrict access as follows.
All users can read the data in all the pages.
User 1 thru 8 can read all the pages and edit page 1 and 2
User 9 and 10 can read and delete the records inside the page.
2. Is there any mechanism, that supports record level access control.
Example : There is a page, it shows a product information of all the products. Is there a mecanism inside APEX wherein this page shows only the products created by it's creater (any end user)
Is there a way in APEX, we can implement this functionality without having user information stored in the DB. ?
Thanx in advannce.
Vijay.

Vijay,
When a user creates the product why not store the user who created it in a column in the same table. That way you can write something like this: 
CREATE TABLE products_tab
productid NUMBER PRIMARY KEY,
product_name VARCHAR2(200),
user_created VARCHAR2(30)
); 
SELECT
productid,
product_name,
( CASE
 WHEN user_created = :F_USER THEN
 --link to edit page goes here
 ELSE '<nbsp>'
 END ) edit_link,
( CASE
 WHEN user_created = :F_USER THEN
 --link to delete page goes here
 ELSE '<nbsp>'
 END ) delete_link
FROM products_tab 
I don't believe you can use an authorization scheme on a button the way you desired. It either displays the column or it doesn't. 
Hope this helps. 
chet

ADF Security integration with Web Logic Security using SQL authenticator

Hi,
I was trying to find a suitable way of handling the following requirements:
1. Administrators should be able to create the roles, groups, users and assign users to roles.
2. User, Roles, Groups should be stored in DB and Users need to be authenticated accordingly.
3. I need to be able to map roles with security permissions on Taskflows, JSF Pages, on UI level using groovy expressions and even at Entities level.
I performed the following tasks:
1. I created back end Security tables, created SQL authenticator as provider and defined the queries in it then I created ADF Application and used JMX APIs to call the SQL authenticator to perform its operations.
2. I defined the roles and respective resource permissions in ADF i.e. Jazn xml file because my requirement no 3 would not be achievable without using ADF security.
Now in this scenario how I can login a user in ADF context and assign roles programmatically that I authenticated from JMX APIs? Or is there any other suitable way to handle these requirements?
Thanks.
-Moeen

Hi Charu,
Thanks for your reply.
Can we programmatically add a user in adfsecuritycontext as a currently logged in user, a user which is not present in jazn.xml file? If yes then can we programmatically assign the roles which are defined in jazn.xml to that specific user?
Moeen

Problem with ADF Security / SQL Authenticator after upgrade to 11.1.1.6

Hi,
We have an ADF application built with JDeveloper 11.1.1.2 that's been in production for a couple of years. Now we are in the process of upgrading to 11.1.1.6 so I have upgraded WLS and ADF in a test environment and re-deployed the application there. The application uses users and groups from database using SQL Authenticator configured in WLS. This worked fine in the old version but now after the upgrade we can't log in with credentials from the database. I can log in if I add a user to the default authenticator. We didn't touch any of the authenticator settings or security realm configurations during the upgrade. Both authenticators are marked as SUFFICIENT, as they have always been.
Has something changed in the way SQL Authenticator is used since 11.1.1.2? What could be the problem?
Regards,
Joonas

Answering myself here: after recreating the SQL Authenticator and the ADF Security configuration logins are working again. Don't know where the problem was though.

Providing ADF security to fusion WebAppliaction (ADF 11g)

I created ADF application contains single page .
i am able to deploy this on standalone WLS10.3
But i need to provide the security to my application.
I am reading the chapter :
Enabling ADF Security in a Fusion Web Application in develpers guide.
is there any other sources like demos / blogs/step by step tutorials about security which is helpful for begginers.if you have , pls provide me.
Sailaja

Here are some links:
- [Adding Security(Oracle Doc)|http://download.oracle.com/docs/cd/E12839_01/web.1111/b31974/adding_security.htm#BGBCEDDD]
- [ADF Security Part 1: Container Managed Security (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt1/adfsec1.htm]
- [ADF Security Part 2: Setup and Authentication (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt2/ADF%20Security%20Authentication%20and%20Setup.htm]
- [ADF Security Part 3: Authorization (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt3/ADF%20Security%20-%20Authorization.htm]
- [ADF Security Part 5: ADF BC Entity Security (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt5/ADF%20Entity%20Object%20Security%20through%20ADF%20Security.htm]
Sireesha

ADF BC 11g, Weblogic 10.3 - Deployment Issue with ADF Security

Hi all,
I know there are many many blogs about deployment of an 11g app using ADF Security to a WLS 10.3 server, however, none appear to be working for me.. or I'm not working with them! :P
I've deployed an .ear file to the WLS 10.3 and this works fine - after following these steps
http://www.freewebalbum.com/blogs/faces/bjanko/blogs.jsp?blog=bjanko20090127130431
I then followed Steve's migration technique
http://www.oracle.com/technology/products/jdev/tips/muench/credmig111100/index.html
That all built correctly.
I then tried to access the app via browser, entered in the user cred (created under Security Realms in WLS 10.3 admin console - user and groups).
I attempted to login, and received an "Error 401--Unauthorized" error.
I'll that I see in the server log is:
[JpsWlsFilter.doFilter] setContextID to testApp
I'm totally stuck, so any ideas would be awesome.
Cheers,
chris

Just gave that a shot.. No dice unfortunately.
Steve Muench wrote:
You can omit -DdstApp=DEPLOYAPPNAME if the deployed application name is the same as the source application name you supplied in the -DsrcApp=APPNAME argument.I hate massive code dumping... but this is my jazn-data.xml
<?xml version = '1.0' encoding = 'UTF-8'?>
<jazn-data>
 <jazn-realm default="jazn.com">
 <realm>
 <name>jazn.com</name>
 <users>
 <user>
 <name>system</name>
 <guid>0300AED0A9A411DD8F304FB2D3E85932</guid>
 <credentials>{903}G5cbldq4HwMVt/gQpv1lXuNdLYbSu20y</credentials>
 </user>
 </users>
 <roles>
 <role>
 <name>PlusAdmin</name>
 <guid>0300AED1A9A411DD8F304FB2D3E85932</guid>
 <members>
 <member>
 <type>user</type>
 <name>system</name>
 </member>
 </members>
 </role>
 <role>
 <name>PlusUser</name>
 <guid>0300AED2A9A411DD8F304FB2D3E85932</guid>
 <members>
 <member>
 <type>user</type>
 <name>system</name>
 </member>
 </members>
 </role>
 </roles>
 </realm>
 </jazn-realm>
 <policy-store>
 <applications>
 <application>
 <name>TestApp</name>
 <app-roles>
 <app-role>
 <name>PlusAdmin</name>
 <class>oracle.security.jps.service.policystore.ApplicationRole</class>
 <members>
 <member>
 <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
 <name>system</name>
 </member>
 </members>
 </app-role>
 <app-role>
 <name>PlusUser</name>
 <class>oracle.security.jps.service.policystore.ApplicationRole</class>
 <members>
 <member>
 <class>oracle.security.jps.internal.core.principals.JpsXmlUserImpl</class>
 <name>system</name>
 </member>
 </members>
 </app-role>
 </app-roles>
 <jazn-policy>
 <grant>
 <grantee>
 <principals>
 <principal>
 <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
 <name>anonymous-role</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>oracle.adf.share.security.authorization.RegionPermission</class>
 <name>com.delexian.plus.ui.pageDefs.LogonPageDef</name>
 <actions>view</actions>
 </permission>
 <permission>
 <class>oracle.adf.share.security.authorization.RegionPermission</class>
 <name>com.delexian.plus.ui.pageDefs.LogonErrorPageDef</name>
 <actions>view</actions>
 </permission>
 </permissions>
 </grant>
 <grant>
 <grantee>
 <principals>
 <principal>
 <class>oracle.security.jps.service.policystore.ApplicationRole</class>
 <name>PlusAdmin</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>oracle.adf.share.security.authorization.RegionPermission</class>
 <name>com.delexian.plus.ui.pageDefs.HomePageDef</name>
 <actions>customize,edit,grant,personalize,view</actions>
 </permission>
 </permissions>
 </grant>
 <grant>
 <grantee>
 <principals>
 <principal>
 <class>oracle.security.jps.service.policystore.ApplicationRole</class>
 <name>PlusUser</name>
 </principal>
 </principals>
 </grantee>
 <permissions>
 <permission>
 <class>oracle.adf.share.security.authorization.RegionPermission</class>
 <name>com.delexian.plus.ui.pageDefs.HomePageDef</name>
 <actions>customize,edit,grant,personalize,view</actions>
 </permission>
 </permissions>
 </grant>
 </jazn-policy>
 </application>
 </applications>
 </policy-store>
 <jazn-policy/>
</jazn-data>

Oracle ADF Security Login page

hi.
I am using oracle ADF 11.1.2.2.0 (oracle Jdevelopr 11g release 2) in my job environment. There are 3000 users working as client level in our company. They have separated user Id and roles. They can change their passwords. There are expiration period for passwords which is handle by in database level. when the employees are going to terminate or retirement , we can control their login status. that mean we change their Active status as a Inactive status. some times we recruit number of emplooyes for cover our business targets. Their User Id also in database table level.
My main problem is how we can handle number of employees using Oracle ADF security configuration.
second one is how user can change their passwords.
Third is how number of employees going to terminate ,handle their Active/Inactive State.
Fourth one is If we use this Oracle Security system ,project managers or project cordinator or Adminstrator level authenticator must need to deploy time to time war file, because of adding removing users in jazn-data.xml.
hoping help from you.Thanking for all.

So, you can define SQLAuthenticator/SQLReadOnlyAuthenticator on Weblogic which will retrieve users from your db table(instead of jazn-data file) to application server.
Then, in your application you can enable ADF Security and this will generate login page.
And, this is it :)
If you need some custom processing before users login to your app, then you can create custom login page and do whatever you want in Java code:
http://docs.oracle.com/cd/E16162_01/web.1112/e16182/adding_security.htm#BABDEICH
>
But 11g has Database connection in Application Resource. Using that connection I need to log to the system using user's User iD and Password
>
This connection is valid only in design time. When you deploy your application to application server, then you can include this connection in .ear file, or you can define Data Source on Weblogic(which is better approach).
To programmatically retreive db connection, you can create utility method in your Application Module.
Dario

JDev11 R.1. ADF Security Authorization

Hi,
I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
Best Regards.

Hi
I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
in TP4 you had a db login module , don't know if this is supported in 11g production.
jps-config.xml
<serviceInstance provider="jaas.login.provider" name="testlogin">
<description>Sample LoginModule</description>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="ovs_user" name="table"/>
<property value="jdbc/OVSDS" name="data_source_name"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="password" name="passwordField"/>
<property value="ovs_user_role_view" name="groupMembershipTableName"/>
<property value="role_name" name="usernameField"/>
<property value="role_name" name="pw_encoding_class"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
</serviceInstance>
<serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="true" name="addAllRoles"/>
<property value="passwd" name="passwordField"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="jdbc/authschemaDS" name="data_source_name"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="application_roles" name="groupMembershipTableName"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="FINEST" name="log.level"/>
<property value="username" name="usernameField"/>
<property value="application_users" name="table"/>
<property value="username" name="user_pk_column"/>
<property value="username" name="roles_fk_column"/>
<property value="tolower" name="casing"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
</serviceInstance>
thanks Edwin
Edited by: biemond on Oct 19, 2008 10:50 AM

ADF Security Design Question

Hi All,
I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
1) Different database users means I cannot take advantage of connection pooling.
2) The architect argues SQL querying can be controlled at database level for each user.
I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
Worst case if I have to go with this design, How to implement ADF security using database users.
Thanks

I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
I'll dig out an ADF BC example and blog about it, too.
--olaf

[SOLVED] ADF Security: No success with DBTableOraDataSourceLoginModule

Hi,
because do not have success to implement simple ADF Security to my application for weeks I try it again with this post.
Hopefully someone who was already successful with this issue can give me the hint, missing step or something else.
I have read many forum posts, blogs and documentation (10.x) but because ADF security has been changed from 10g to 11g I'm never sure if a documented step from 10g is necessary for 11g also.
I also posted my problem to posts with similar problems but no response :-(
I use 11g, TP4.
My Requirement:
=============
- user accounts and roles are stored within database tables
- roles are not used (every user has the same rights) but stored in the database table
- Custom Login-Page (jspx)
- At login ADF Security only needs to check if the entered user/password is stored in the database table (no password encryption is used at the moment)
Steps I have done:
ADF Security wizard:
================
Step 1: Enforce Authorization NOT checked (Also tried to CHECK this checkbox)
Redirect upon sucessfull Authentication CHECKED
generate Default CHECKED
Step 2: No identity store CHECKED
Step 3: Enable Credital Store CHECKED
Step 4: No Policy Store CHECKED
Step 5: Enable Anonymous Provider
Step 6: Manage Login Modules --> Add "oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
Name = oracledb.loginmodule
Login Control Flag = Required
Log Level = fine
--> Add "oracledb.loginmodule" as the only "Selected login module"
Step 7: Form-Based Authentication
Generate default is CHECKED
Step 8: WebResources: allPages
Selected Roles: valid-users
Step 9: FINISH Wizard
Then I edit jps-config.xml manually. Here the actual content:
=============================================================
<serviceInstance provider="jaas.login.provider"
name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="true" name="addAllRoles"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
name="loginModuleClassName"/>
<property value="FINE" name="log.level"/>
<property value="jdbc/TLS-BOBDS" name="data_source_name"/>
<property value="passwort" name="passwordField"/>
<property value="rol_rolle" name="groupMembershipGroupFieldName"/>
<property value="bediener_rollen" name="groupMembershipTableName"/>
<property value="user_kennung" name="usernameField"/>
<property value="bediener" name="table"/>
<property value="persnr" name="user_pk_column"/>
<property value="bed_persnr" name="roles_fk_column"/>
<property value="toupper" name="casing"/>
</serviceInstance>
====================================
Then I start the application. Re-direction to the login-page works fine.
I enter username/password and press submit --> Following error occures in OC4J log:
===================
WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
 at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
 at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
 at java.util.ResourceBundle.getString(ResourceBundle.java:285)
 at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
 at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
 at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
 at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
 at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
 at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
 at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
 at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
 at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
 at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
 at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
 at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
 at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
 at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
 at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
 at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
 at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
 at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
 at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
 at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
 at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
 at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
 at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
 at java.lang.Thread.run(Thread.java:595)
==================================================
My questions:
=============
1) Are there additional steps necessary to implement ADF Security for my requirements ?
2) If yes, which? Which files I have to edit manually after ADF security wizard has been finished?
Any help is warmly welcome !
regards
Peter

Hello
Many thanks to CP and Andre who gave the missing hints in this tread:
OC4J 11g and JAZN
The property custom.provider mentioned by cp was the "missing link" --> now it works.
BUT "Nobody knows the trouble I've seen ..." !
I made dozens of trials with the same application and always similar (strange) results.
When I CHECK "enforce Authorization" in the ADF security wizard then
the redirection to the Login Page does NOT work (reason is unclear for me)
If I UNCHECK "enforce Authorization" in the ADF security wizard then
the redirection to the login page works fine BUT the redirect upon succesful Authentication doesn't work.
--> In this case following code is missing in web.xml
=====================
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>welcome.jsp</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
=================================
I think (but not 100%) that SOMETIMES the propertie "<property value="true" name="custom.provider"/>" has been created by the ADF security wizard.
SOMETIMES I was not able to create the default welcome.jsp with the ADF Security Wizard, ....
Maybe someone can reproduce this behaviour and fills a bug.
regards
Peter

ADF Security: "create" privilege in EO?

Hello all,
I see from the Fusion Developer's Guide that we have permissions that can be associated with an Entity Object for Read, Delete, and Update. There is nothing specified for "create." Is the create permission included with Update and/or Delete?
Best,
John

Hi John
From memory it's missing but it sort of logically makes sense because the EO represents a single record that must already exist. As such we're probably missing a set of ADF BC security privs at the VO level (or maybe the EntityCache) that include create, execute, next, prev + those inherited from the individual EO.
If memory (again) serves me correctly Frank (or maybe Steve?) demonstrated (or at least commented that it's possible) how to extend the framework to include new privs, but I can't find the link at this stage.
The ADF BC Security 11g implementations at EO levels seems somewhat clunky and like the 10.1.3 features I think unless improved wont be used. This is what our notes say after we previously researched the capabilities:
"Entity Objects are secured via the Entity Object document window, selecting the General tab, followed by the operation you wish to secure under the Security heading. Note if you do not enable an operation within this section, this implies the operation is not secured and by default users *will* be able to execute the operation. For example enabling the read option but not the update option, implies that users must be explicitly granted the read operation before they can view the Entity Object, however (counter-intuitively) updating the Entity Object is allowed"
Sorry this isn't a direct answer to your question, but hopefully helpful.
Regards,
CM.

ADF Security unable to run/deploy

Hi all,
I want to use ADF Security in my new project, so I created an simple test application in my JDeveloper 11g R1.
What I have done is simple, I created a new application using Fusion Web Application Template, and then I run the Config ADF Security Wizard from Application->Secure menu. In the wizard, I selected generate default login page, and welcome page. Then I try to run the login.html.
But I failed with the following error messages, can anybody help me?
Thanks in advanced.
2009年11月16日下午02:13:17 oracle.mds.internal.lcm.logging.MDSLCMLogger info
資訊: Application ID : wsm-pm
2009年11月16日下午02:13:17 oracle.mds.internal.lcm.logging.MDSLCMLogger info
資訊: "Metadata Services: Metadata archive (MAR) not found."
<2009年11月16日下午02時13分37秒 CST> <Notice> <LoggingService> <BEA-320400> <The log file C:\Documents and Settings\itssdu10\Application Data\JDeveloper\system11.1.1.1.33.54.07\DefaultDomain\servers\DefaultServer\logs\DefaultDomain.log will be rotated. Reopen the log file if tailing has stopped. This can happen on some platforms like Windows.>
<2009年11月16日下午02時13分37秒 CST> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to C:\Documents and Settings\itssdu10\Application Data\JDeveloper\system11.1.1.1.33.54.07\DefaultDomain\servers\DefaultServer\logs\DefaultDomain.log00001. Log messages will continue to be logged in C:\Documents and Settings\itssdu10\Application Data\JDeveloper\system11.1.1.1.33.54.07\DefaultDomain\servers\DefaultServer\logs\DefaultDomain.log.>
<2009年11月16日下午02時13分37秒 CST> <Notice> <Log Management> <BEA-170027> <The Server has established connection with the Domain level Diagnostic Service successfully.>
2009年11月16日下午02:13:38 oracle.wsm.audit.Auditor <init>
資訊: Created J2EE application auditor for componentType=oracle.security.jps.internal.audit.AuditServiceImpl$Auditor@95c8c2
2009年11月16日下午02:13:38 oracle.adf.share.config.ADFConfigFactory getInstance
資訊: ADF Config instance implementation in use is : oracle.adf.share.config.MDSConfigFactory
2009年11月16日下午02:13:41 oracle.adf.share.config.ADFMDSConfig parseADFConfiguration
資訊: Configuration file:/META-INF/adf-config.xmlcannot not be read by MDS. Reading directly from the classpath
<2009年11月16日下午02時13分42秒 CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
<2009年11月16日下午02時13分42秒 CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<2009年11月16日下午02時13分42秒 CST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7101 for protocols iiop, t3, ldap, snmp, http.>
<2009年11月16日下午02時13分42秒 CST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.16.127.167:7101 for protocols iiop, t3, ldap, snmp, http.>
<2009年11月16日下午02時13分42秒 CST> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "DefaultServer" for domain "DefaultDomain" running in Development Mode>
<2009年11月16日下午02時13分42秒 CST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<2009年11月16日下午02時13分42秒 CST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
DefaultServer startup time: 53578 ms.
DefaultServer started.
[Running application TestLogin on Server Instance DefaultServer...]
<2009年11月16日下午02時13分49秒 CST> <Warning> <J2EE> <BEA-160195> <The application version lifecycle event listener oracle.security.jps.wls.listeners.JpsAppVersionLifecycleListener is ignored because the application TestLogin is not versioned.>
2009年11月16日下午02:13:49 oracle.mds.internal.lcm.logging.MDSLCMLogger info
資訊: Application ID : TestLogin
2009年11月16日下午02:13:49 oracle.mds.internal.lcm.logging.MDSLCMLogger info
資訊: "Metadata Services: Metadata archive (MAR) not found."
2009年11月16日下午02:13:49 JpsApplicationLifecycleListener Policy Migration
資訊: Application [TestLogin] is being deployed, start policy migration with jps.policystore.migration set to OVERWRITE.
2009年11月16日下午02:13:49 JpsApplicationLifecycleListener Policy Migration
資訊: Application policy migration for [TestLogin] is completed successfully.
2009年11月16日下午02:13:50 JpsApplicationLifecycleListener Policy Migration
資訊: Codebase policy migration for [TestLogin] is completed successfully.
<2009年11月16日下午02時13分50秒 CST> <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID '1258352028648' for task '0'. Error is: 'java.lang.NullPointerException'
java.lang.NullPointerException
 at oracle.security.pki.l.c(Unknown Source)
 at oracle.security.pki.l.b(Unknown Source)
 at oracle.security.pki.OracleSSOKeyStoreSpi.engineLoad(Unknown Source)
 at oracle.security.pki.OracleSecretStore.load(Unknown Source)
 at oracle.security.pki.OracleWallet.getSecretStore(Unknown Source)
 Truncated. see log file for complete stacktrace
java.lang.NullPointerException
 at oracle.security.pki.l.c(Unknown Source)
 at oracle.security.pki.l.b(Unknown Source)
 at oracle.security.pki.OracleSSOKeyStoreSpi.engineLoad(Unknown Source)
 at oracle.security.pki.OracleSecretStore.load(Unknown Source)
 at oracle.security.pki.OracleWallet.getSecretStore(Unknown Source)
 Truncated. see log file for complete stacktrace
>
<2009年11月16日下午02時13分50秒 CST> <Warning> <Deployer> <BEA-149004> <Failures were detected while initiating deploy task for application 'TestLogin'.>
<2009年11月16日下午02時13分50秒 CST> <Warning> <Deployer> <BEA-149078> <Stack trace for message 149004
java.lang.NullPointerException
 at oracle.security.pki.l.c(Unknown Source)
 at oracle.security.pki.l.b(Unknown Source)
 at oracle.security.pki.OracleSSOKeyStoreSpi.engineLoad(Unknown Source)
 at oracle.security.pki.OracleSecretStore.load(Unknown Source)
 at oracle.security.pki.OracleWallet.getSecretStore(Unknown Source)
 Truncated. see log file for complete stacktrace
java.lang.NullPointerException
 at oracle.security.pki.l.c(Unknown Source)
 at oracle.security.pki.l.b(Unknown Source)
 at oracle.security.pki.OracleSSOKeyStoreSpi.engineLoad(Unknown Source)
 at oracle.security.pki.OracleSecretStore.load(Unknown Source)
 at oracle.security.pki.OracleWallet.getSecretStore(Unknown Source)
 Truncated. see log file for complete stacktrace
>
[02:13:50 PM] Weblogic Server Exception: weblogic.application.WrappedDeploymentException
[02:13:50 PM] See server logs or server console for more details.
[02:13:50 PM] #### Deployment incomplete. ####
oracle.jdeveloper.deploy.DeployException: oracle.jdeveloper.deploy.DeployException: oracle.jdeveloper.deploy.DeployException: Deployment Failed
oracle.jdeveloper.deploy.DeployException: oracle.jdeveloper.deploy.DeployException: oracle.jdeveloper.deploy.DeployException: Deployment Failed
 at oracle.jdevimpl.deploy.common.Jsr88RemoteDeployer.doDeploymentAction(Jsr88RemoteDeployer.java:341)
 at oracle.jdevimpl.deploy.common.Jsr88RemoteDeployer.deployImpl(Jsr88RemoteDeployer.java:235)
 at oracle.jdeveloper.deploy.common.AbstractDeployer.deploy(AbstractDeployer.java:94)
 at oracle.jdevimpl.deploy.fwk.WrappedDeployer.deployImpl(WrappedDeployer.java:39)
 at oracle.jdeveloper.deploy.common.AbstractDeployer.deploy(AbstractDeployer.java:94)
 at oracle.jdeveloper.deploy.common.BatchDeployer.deployImpl(BatchDeployer.java:82)
 at oracle.jdeveloper.deploy.common.AbstractDeployer.deploy(AbstractDeployer.java:94)
 at oracle.jdevimpl.deploy.fwk.WrappedDeployer.deployImpl(WrappedDeployer.java:39)
 at oracle.jdeveloper.deploy.common.AbstractDeployer.deploy(AbstractDeployer.java:94)
 at oracle.jdevimpl.deploy.fwk.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:442)
 at oracle.jdeveloper.deploy.DeploymentManager.deploy(DeploymentManager.java:209)
 at oracle.jdevimpl.runner.adrs.AdrsStarter$6$1.run(AdrsStarter.java:1469)
Caused by: oracle.jdeveloper.deploy.DeployException: oracle.jdeveloper.deploy.DeployException: Deployment Failed
 at oracle.jdevimpl.deploy.common.Jsr88DeploymentHelper.deployApplication(Jsr88DeploymentHelper.java:483)
 at oracle.jdevimpl.deploy.common.Jsr88RemoteDeployer.doDeploymentAction(Jsr88RemoteDeployer.java:332)
 ... 11 more
Caused by: oracle.jdeveloper.deploy.DeployException: Deployment Failed
 at oracle.jdevimpl.deploy.common.Jsr88DeploymentHelper.deployApplication(Jsr88DeploymentHelper.java:465)
 ... 12 more
#### Cannot run application TestLogin due to error deploying to DefaultServer.
[Application TestLogin stopped and undeployed from Server Instance DefaultServer]
Samson Fu

I found the deployment was failed inside JDeveloper from the error message, so the application is not able to run from JDeveloper. I don't understand why JDeveloper unable to run the application that generate by the build-in wizard. I've tried to reinstall my JDeveloper 11g, but still cannot have it work.
Regards,
Samson Fu

How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

Record Level Authentication in ADF Security 11g

Similar Messages

Maybe you are looking for